Reported

June 8, 2018

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

actix-web (crates.io)

Type

Vulnerability

Categories

• memory-corruption

Aliases

• CVE-2018-25024
• CVE-2018-25025
• CVE-2018-25026
• GHSA-7x36-h62w-vw65
• GHSA-9qj6-4rfq-vm84
• GHSA-fgfm-hqjw-3265
• GHSA-w65j-g6c7-g3m4

References

• https://github.com/actix/actix-web/issues/289

Patched

• >=0.7.15

Description

Affected versions contain multiple memory safety issues, such as:

• Unsoundly coercing immutable references to mutable references
• Unsoundly extending lifetimes of strings
• Adding the Send marker trait to objects that cannot be safely sent between threads

This may result in a variety of memory corruption scenarios, most likely use-after-free.

A significant refactoring effort has been conducted to resolve these issues.

Advisory available under CC0-1.0 license.